ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Is this a MQ security risk?

Post new topic  Reply to topic
 Is this a MQ security risk? « View previous topic :: View next topic » 
Author Message
Monk
PostPosted: Wed Sep 09, 2009 4:28 am    Post subject: Is this a MQ security risk? Reply with quote

Master

Joined: 21 Apr 2007
Posts: 282

Hi All,

I have a question related to MQ security.

Following is the scenario.

Assume i have a aix box running MQ v > 6.

i write a C application in which i open some queue and puts a message. Note here that when i open a queue i set in put options as "set Identity context" option.

Now i have a simple cluster like so.
QM1 and QM2 in "CLUSTER"

and i have defined a alias queue say "TEST.ALIAS" and this points to a cluster queue "TEST.CLQ" which is locally defined on QM2.

and on QM2 , i have a reciever channel TO.QM2 in which i have set PUTAUT(CTX) instead of default.

Now the C applications can set 'mqm' in the MQMD.userid field and put the message on alias queue "TEST.ALIAS" on QM1. ofcouse assuming i have given it connect and put permissions respectively.


According to documentation MQ should put the message on TEST.CLQ as "mqm"
is this correct?

and if so , isn't this is a security hole.

I have tried this on windows , and i was able to do this.

This led me to believe that setting PUTAUT(CTX) is a security risk.

Am I correct in my assumption or have I gone wrong somewhere.

Thanks
_________________
Thimk
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Sep 09, 2009 4:39 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Yes.

MQ requires specific tuning and careful planning to secure. And PUTAUT(CTX) is never a good idea.

But none of this is new.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Sep 09, 2009 4:40 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Please give me all your bank account details, including passwords. I shall then masquerade as you, because you have given me the authority to do so, and empty said bank account.

Do you think that would be a security risk?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Monk
PostPosted: Wed Sep 09, 2009 4:46 am    Post subject: Reply with quote

Master

Joined: 21 Apr 2007
Posts: 282

Quote:
Please give me all your bank account details, including passwords. I shall then masquerade as you, because you have given me the authority to do so, and empty said bank account.

Do you think that would be a security risk?


So yes it is a security risk.

I just wanted to confirm.
_________________
Thimk
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Is this a MQ security risk?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.